12

Occasionally I hear people say that one-time pads are "useless" or even "broken".

"modern cryptography knows more security definitions, under some of which the one-time pad is completely broken." -- How do we know a cryptographic primitive won't fail suddenly?

...

One time pad: why is it useless in practice?

...

"we don’t need (and shouldn’t want) to use one-time pads"

...

"The one-time pad is not a semantically secure encryption algorithm."

...

"One-time pads may be theoretically secure, but they are not secure in a practical sense." -- Bruce Schneier

What specifically are these "modern ... security definitions", and how exactly is the one-time pad completely broken?

Community
  • 1
David Cary
  • 5,744
  • 4
  • 22
  • 35

4 Answers4

22

Modern security has moved beyond looking just at passive attacks (in which the attacker is just a passive eavesdropper seeking to learn what was said); attackers are generally considered to be able and willing to pull off active attacks of various types (in which the attacker can modify or forge messages to achieve some goal). One-time pads are extremely vulnerable to modification; if an attacker knows that a message says "Pay Robert \$100,000", they can trivially change it to "Pay Joseph \$999,999". They share this property with all stream ciphers; if your ciphertext is the plaintext XOR a keystream, then an attacker who knows $P_1$ and $C_1$ can easily compute $C_2=C_1\oplus (P_1\oplus P_2)$, which decrypts to $P_2$. Working around that requires some way to verify message authenticity, which a one-time pad doesn't do (and doesn't try to do). This is provided by message authentication codes (MACs), or by a cryptosystem that combines authentication and encryption (like AES-GCM).

Also, many security properties literally do not apply to OTPs, because the properties are along the lines of "given the ability to encrypt multiple messages with the key, do X."

Uselessness is broader: even if you just need confidentiality, OTPs have serious issues for usability. That's because a OTP key has to be as long as the message and transmitted in secret; cryptography is most useful when you just need to transmit a little information secretly to encrypt a lot of stuff. An OTP is only as secure as the key exchange, so to be useful the keys have to be exchanged without relying on cryptography for security (else you're not getting perfect security). There are a few cases where they work well (like distributing in person to someone who's about to go on a mission and will need to send stuff back to you over an insecure channel), but they're rare.

cpast
  • 3,652
  • 1
  • 16
  • 28
5

fkraiem's answer is correct, but more context is required, in my opinion.

The one-time pad (the theoretical device) has not been broken. But real-world systems based on the one-time pad have failed in practice.

Systems based on one-time pads have failed in the past because key material has been reused, either by mistake or because the sender had ran out of fresh key material.

Remember, with a one-time pad, the secret key needs to be as least as long as the message.

Thus, modern cryptosystems are designed so that this issue no longer happens. They use a short key and a nonce (https://en.wikipedia.org/wiki/Cryptographic_nonce) and in the case of stream ciphers generate a keystream which is as long as required.

Note that the same issues (running out of keystream or using the same keystream twice) could theoretically happen with a modern cryptosystem, if cycles are found within the key stream or all possible nonces have been used. (And in some cases, it does, because of implementation issues.) In order to prevent this, the nonce space is made large enough. The exhaustion of a 128 bit nonce space will not happen.

Erwan Legrand
  • 239
  • 1
  • 7
5

In a lot of cases OTP will be completely impractical. If instead of a truly random pad you use a pseudo random pad, you will have something a lot more practical. But it is no longer OTP, and the security proofs about OTP means nothing in that case. I think this is the essence of the Bruce Schneier quote you mention.

If we for a moment ignore the impractical aspect of it and assume a setting in which the communicating parties have shared a random key in advance, then why might OTP be considered broken?

First of all OTP is all about confidentiality. A lot of people when they first learn about cryptography think that confidentiality is the most important aspect of cryptography. But in most cases it isn't. Integrity is usually more important. In fact confidentiality without integrity is rarely useful.

So all that provable confidentiality of OTP is useless unless you have provable integrity to go along with it. Luckily Wegman and Carter showed how to do that many years ago. Just like OTP the MAC by Wegman and Carter consumes key bits every time it is used. But the good news is that the MAC only consumes a constant number of bits each time, so much fewer bits are used for the MAC than for OTP which uses as many key bits as the length of the message.

Making it somewhat practical

The combination of OTP and Wegman Carter MAC (or a derivative) is proven secure. But to make it practical one need a source for a long common secret bitstring. I have only ever heard about one way to produce such a key if it wasn't shared among the two parties in advance, and that is through quantum cryptography.

Quantum cryptography does however require an authenticated classical channel. So you cannot bootstrap quantum cryptography without first sharing some secret between the communicating parties. But if you have shared enough key bits for a Wegman Carter MAC, then you can use quantum cryptography to produce a longer shared key for further communication.

The key material produced by quantum cryptography can be used to exchange messages on a classical channel using OTP + Wegman Carter for security. One of course has to save enough bits for the MAC on another round of the quantum communication to refill the pool of key bits.

kasperd
  • 1,387
  • 1
  • 10
  • 23
0

Modern definitions of security require being able to securely encrypt a large number of messages with the same key, which is by definition not possible with a one-time pad.

fkraiem
  • 8,242
  • 2
  • 28
  • 38